Our IPv6 stack was scanning all extension headers for routing header

type 0 and dropped the packet if it found one.  RFC 5095 demands
to handle a routing header type 0 like an unrecognised routing type.
This is enough to protect the own machine.

To protect a network as a firewall, we have pf which does the same
full scan in pf_walk_header6().  As pf is enabled by default, nothing
changes for most users.  If you turn off pf on your router, you
should not expect extra protection.

Get rid of the double scanning in ip6_input() and and the older
disabled code in route6_input().  No more special treatment of
routing header type 0 in the IPv6 stack.

OK henning@ mikeb@

2 files changed, 5 insertions, 198 deletions

diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index be34304d7c9..d8915befeb9 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_input.c,v 1.115 2013/10/17 16:27:46 bluhm Exp $	*/
+/*	$OpenBSD: ip6_input.c,v 1.116 2013/10/19 21:25:15 bluhm Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -122,7 +122,6 @@ struct ifqueue ip6intrq;
 struct ip6stat ip6stat;
 
 void ip6_init2(void *);
-int ip6_check_rh0hdr(struct mbuf *, int *);
 
 int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *);
 struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int);
@@ -318,15 +317,6 @@ ip6_input(struct mbuf *m)
 	}
 #endif
 
-	if (ip6_check_rh0hdr(m, &off)) {
-		ip6stat.ip6s_badoptions++;
-		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
-		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
-		icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER, off);
-		/* m is already freed */
-		return;
-	}
-
 #if NPF > 0
         /*
          * Packet filter
@@ -707,74 +697,6 @@ ip6_input(struct mbuf *m)
 	m_freem(m);
 }
 
-/* scan packet for RH0 routing header. Mostly stolen from pf.c:pf_test() */
-int
-ip6_check_rh0hdr(struct mbuf *m, int *offp)
-{
-	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
-	struct ip6_rthdr rthdr;
-	struct ip6_ext opt6;
-	u_int8_t proto = ip6->ip6_nxt;
-	int done = 0, lim, off, rh_cnt = 0;
-
-	off = ((caddr_t)ip6 - m->m_data) + sizeof(struct ip6_hdr);
-	lim = min(m->m_pkthdr.len, ntohs(ip6->ip6_plen) + sizeof(*ip6));
-	do {
-		switch (proto) {
-		case IPPROTO_ROUTING:
-			*offp = off;
-			if (rh_cnt++) {
-				/* more then one rh header present */
-				return (1);
-			}
-
-			if (off + sizeof(rthdr) > lim) {
-				/* packet to short to make sense */
-				return (1);
-			}
-
-			m_copydata(m, off, sizeof(rthdr), (caddr_t)&rthdr);
-
-			if (rthdr.ip6r_type == IPV6_RTHDR_TYPE_0) {
-				*offp += offsetof(struct ip6_rthdr, ip6r_type);
-				return (1);
-			}
-
-			off += (rthdr.ip6r_len + 1) * 8;
-			proto = rthdr.ip6r_nxt;
-			break;
-		case IPPROTO_AH:
-		case IPPROTO_HOPOPTS:
-		case IPPROTO_DSTOPTS:
-			/* get next header and header length */
-			if (off + sizeof(opt6) > lim) {
-				/*
-				 * Packet to short to make sense, we could
-				 * reject the packet but as a router we 
-				 * should not do that so forward it.
-				 */
-				return (0);
-			}
-
-			m_copydata(m, off, sizeof(opt6), (caddr_t)&opt6);
-
-			if (proto == IPPROTO_AH)
-				off += (opt6.ip6e_len + 2) * 4;
-			else
-				off += (opt6.ip6e_len + 1) * 8;
-			proto = opt6.ip6e_nxt;
-			break;
-		case IPPROTO_FRAGMENT:
-		default:
-			/* end of header stack */
-			done = 1;
-			break;
-		}
-	} while (!done);
-
-	return (0);
-}
-
 /*
  * Hop-by-Hop options header processing. If a valid jumbo payload option is
  * included, the real payload length will be stored in plenp.
diff --git a/sys/netinet6/route6.c b/sys/netinet6/route6.c
index 62aa3de5b1f..d129046b700 100644
--- a/sys/netinet6/route6.c
+++ b/sys/netinet6/route6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: route6.c,v 1.17 2008/06/11 19:00:50 mcbride Exp $	*/
+/*	$OpenBSD: route6.c,v 1.18 2013/10/19 21:25:15 bluhm Exp $	*/
 /*	$KAME: route6.c,v 1.22 2000/12/03 00:54:00 itojun Exp $	*/
 
 /*
@@ -44,10 +44,6 @@
 
 #include <netinet/icmp6.h>
 
-#if 0
-static int ip6_rthdr0(struct mbuf *, struct ip6_hdr *, struct ip6_rthdr0 *);
-#endif
-
 /*
  * proto is unused
  */
@@ -68,43 +64,12 @@ route6_input(struct mbuf **mp, int *offp, int proto)
 	}
 
 	switch (rh->ip6r_type) {
-#if 0
-	/*
-	 * See http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
-	 * for why IPV6_RTHDR_TYPE_0 is banned here.
-	 *
-	 * We return ICMPv6 parameter problem so that innocent people
-	 * (not an attacker) would notice about the use of IPV6_RTHDR_TYPE_0.
-	 * Since there's no amplification, and ICMPv6 error will be rate-
-	 * controlled, it shouldn't cause any problem.
-	 * If you are concerned about this, you may want to use the following
-	 * code fragment:
-	 *
-	 * case IPV6_RTHDR_TYPE_0:
-	 *	m_freem(m);
-	 *	return (IPPROTO_DONE);
-	 */
 	case IPV6_RTHDR_TYPE_0:
-		rhlen = (rh->ip6r_len + 1) << 3;
-		if (rh->ip6r_segleft == 0)
-			break;	/* Final dst. Just ignore the header. */
 		/*
-		 * note on option length:
-		 * maximum rhlen: 2048
-		 * max mbuf m_pulldown can handle: MCLBYTES == usually 2048
-		 * so, here we are assuming that m_pulldown can handle
-		 * rhlen == 2048 case.  this may not be a good thing to
-		 * assume - we may want to avoid pulling it up altogether.
+		 * RFC 5095 specifies to handle routing header type 0
+		 * the same way as an unrecognised routing type.
 		 */
-		IP6_EXTHDR_GET(rh, struct ip6_rthdr *, m, off, rhlen);
-		if (rh == NULL) {
-			ip6stat.ip6s_tooshort++;
-			return IPPROTO_DONE;
-		}
-		if (ip6_rthdr0(m, ip6, (struct ip6_rthdr0 *)rh))
-			return (IPPROTO_DONE);
-		break;
-#endif
+		/* FALLTHROUGH */
 	default:
 		/* unknown routing type */
 		if (rh->ip6r_segleft == 0) {
@@ -120,83 +85,3 @@ route6_input(struct mbuf **mp, int *offp, int proto)
 	*offp += rhlen;
 	return (rh->ip6r_nxt);
 }
-
-#if 0
-/*
- * Type0 routing header processing
- *
- * RFC2292 backward compatibility warning: no support for strict/loose bitmap,
- * as it was dropped between RFC1883 and RFC2460.
- */
-static int
-ip6_rthdr0(struct mbuf *m, struct ip6_hdr *ip6, struct ip6_rthdr0 *rh0)
-{
-	int addrs, index;
-	struct in6_addr *nextaddr, tmpaddr;
-
-	if (rh0->ip6r0_segleft == 0)
-		return (0);
-
-	if (rh0->ip6r0_len % 2) {
-		/*
-		 * Type 0 routing header can't contain more than 23 addresses.
-		 * RFC 2460: this limitation was removed since strict/loose
-		 * bitmap field was deleted.
-		 */
-		ip6stat.ip6s_badoptions++;
-		icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
-			    (caddr_t)&rh0->ip6r0_len - (caddr_t)ip6);
-		return (-1);
-	}
-
-	if ((addrs = rh0->ip6r0_len / 2) < rh0->ip6r0_segleft) {
-		ip6stat.ip6s_badoptions++;
-		icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
-			    (caddr_t)&rh0->ip6r0_segleft - (caddr_t)ip6);
-		return (-1);
-	}
-
-	index = addrs - rh0->ip6r0_segleft;
-	rh0->ip6r0_segleft--;
-	nextaddr = ((struct in6_addr *)(rh0 + 1)) + index;
-
-	/*
-	 * reject invalid addresses.  be proactive about malicious use of
-	 * IPv4 mapped/compat address.
-	 * XXX need more checks?
-	 */
-	if (IN6_IS_ADDR_MULTICAST(nextaddr) ||
-	    IN6_IS_ADDR_UNSPECIFIED(nextaddr) ||
-	    IN6_IS_ADDR_V4MAPPED(nextaddr) ||
-	    IN6_IS_ADDR_V4COMPAT(nextaddr)) {
-		ip6stat.ip6s_badoptions++;
-		goto bad;
-	}
-	if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
-	    IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst) ||
-	    IN6_IS_ADDR_V4MAPPED(&ip6->ip6_dst) ||
-	    IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
-		ip6stat.ip6s_badoptions++;
-		goto bad;
-	}
-
-	/*
-	 * Swap the IPv6 destination address and nextaddr. Forward the packet.
-	 */
-	tmpaddr = *nextaddr;
-	*nextaddr = ip6->ip6_dst;
-	if (IN6_IS_ADDR_LINKLOCAL(nextaddr))
-		nextaddr->s6_addr16[1] = 0;
-	ip6->ip6_dst = tmpaddr;
-	if (IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst))
-		ip6->ip6_dst.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index);
-
-	ip6_forward(m, 1);
-
-	return (-1);			/* m would be freed in ip6_forward() */
-
-  bad:
-	m_freem(m);
-	return (-1);
-}
-#endif